From 1a93e3f293af2c133ea0ecad848f1d9454eec175 Mon Sep 17 00:00:00 2001 From: Alex Steel <130377221+asteel-gsa@users.noreply.github.com> Date: Thu, 2 May 2024 13:12:02 -0400 Subject: [PATCH] add trivy (testing) --- .github/workflows/trivy.yml | 49 +++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 000000000..3b7d5104d --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,49 @@ +--- +name: Trivy Scan +on: + workflow_dispatch: + workflow_call: + push: + branches: + - main + - deploy-to-cloud-gov + +permissions: + contents: read + +jobs: + scan-third-party: + permissions: + contents: read + security-events: write + actions: read + name: Trivy Scan Third Party Images + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + image: + - name: ghcr.io/gsa-tts/spiffworkflow-backend:deploy-to-cloud-gov-latest + - name: ghcr.io/gsa-tts/spiffworkflow-frontend:deploy-to-cloud-gov-latest + - name: ghcr.io/gsa-tts/connector-proxy-demo:deploy-to-cloud-gov-latest + steps: + - name: Pull Third Party Docker Images + run: docker pull ${{ matrix.image.name }} + + - name: Run Trivy vulnerability scanner on Third Party Images + uses: aquasecurity/trivy-action@0.19.0 + with: + image-ref: '${{ matrix.image.name }}' + scan-type: 'image' + hide-progress: false + format: 'sarif' + output: 'trivy-results.sarif' + exit-code: 0 # Setting the exit-code to 1 will fail the action, without publishing to Github Security Tab (> aquasecurity/trivy-action@0.13.1) + severity: 'CRITICAL,HIGH' + timeout: 15m0s + ignore-unfixed: true + + - name: Upload Trivy scan results to GitHub Security tab for Third Party Images + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif'